While the world is reeling from the recent CrowdStrike outage caused by a faulty update, Google recently faced a significant security issue related to Workspace accounts. Google Workspace allows businesses to create professional email addresses using their company"s domain name, such as alex@companydomain.com. Businesses can also access Google Drive, Gmail calendars, Google Meet, and more through a Google Workspace account.
Google recently found that hackers were able to bypass the email verification system, which is needed to create a Google Workspace account. For example, if you want to create a Google Workspace account for alex@microsoft.com, you need first to verify that the email address belongs to you. However, hackers bypassed this basic requirement. Even worse, the created Google Workspace account could be used at third-party services that allow "Sign in with Google" as a login mechanism.
Google sent the following statement in an email to affected users:
"In the last few weeks, we identified a small-scale abuse campaign whereby bad actors circumvented the email verification step in our account creation flow for Email Verified (EV) Google Workspace accounts using a specially constructed request. These EV users could then be used to gain access to third-party applications using "Sign In with Google"."
Google informed KrebsOnSecurity that the issue began in late June, impacting "a few thousand" Workspace accounts, and they fixed the issue within 72 hours of discovering it. Google has also confirmed that it has added additional detection to protect against these types of authentication bypasses.
Here’s how hackers bypassed email verification for Google Workspace accounts:
- Google offers a free Workspace trial account that allows users to try out services like Google Docs.
- However, to create a Workspace account that has Gmail and domain-dependent services, email verification is required.
- Hackers created a specifically-constructed request to circumvent email verification during the signup process.
- Hackers would use one email address to try to sign in and a completely different email address to verify a token.
- Once they were email verified, in some cases, we have seen them access third-party services using Google single sign-on.
The comments by various Google Workspace account holders on Hacker News and Krebs on Security"s comments section tell a slightly different story. It looks like the email verification bypass issue has been going on for more than a month.
One user was affected by the issue on June 6th, which is not late June, as Google claims. A commenter named David Keaton claims that he faced a similar problem back in 2012 and again in July 2023. Another commenter argues that he reported the issue to Google on June 7th as well; read his actual comments below:
"What Google says is simply not true. Attacks started around early June. I write here as one of the victims from that time. Even more - have a buganizer ticket number from June the 7th with initial findings. It was fixed about a month later."
Google"s lack of transparency regarding the timeline and full extent of the Workspace security flaw raises concerns. A clear and detailed public disclosure, including proactive steps taken to prevent future breaches, would be a more responsible approach. Additionally, acknowledging the issue with a formal blog post would demonstrate a commitment to transparency and user trust.
Source: Krebs on Security